CMMC – The smoke is clearing

The time is now for defense contractors to get ready and get certified

The smoke is finally starting to clear on “CMMC 2.0.” Hundreds of companies are already lining up for Cybersecurity Maturity Model Certification assessments. Everything is taking place faster and with far more urgency than most organizations have planned around or prepared for.

The assessment process should be finalized and released in June. Provisional Assessors, Certified Professionals, and CMMC Third Party Assessment Organizations (C3PAOs) will need to be trained and remaining issues with the government’s eMASS reporting system addressed. Interim CMMC assessments should begin later this summer, and the entire DIB (defense industrial base) companies will begin queueing up.

What to Expect

A quick look at the latest CMMC timeline shows rule changes being submitted for internal and interagency review in July 2022 with the results published as a proposed rule for public comment late spring 2023. The final rule that formally enacts CMMC will likely be published in late 2023 or early 2024.

What will begin this summer, however, are Interim Assessments, and the DoD and the CMMC-AB (accreditation body) are encouraging DIB organizations – even offering incentives – for them to complete a CMMC Interim Assessment. These assessments will be performed by Provisional Assessors and Certified Professionals working for a C3PAO, and will follow the Certification Assessment Process (CAP) that should be published this June.

The CAP will ensure consistency across assessors and across C3PAOs, a key imperative of the CMMC program. The C3PAOs have been sanctioned by the DoD and are responsible for achieving this objective, and no matter what industry or area of expertise, each organization that embarks on the CMMC journey should be assured that their assessment will be conducted within repeatable standards and identical methodologies.

More About Interim Assessments

The DoD doesn’t want DIB organizations to wait to satisfy CMMC. CMMC is intended to stem the leakage or theft of sensitive defense information from DoD suppliers, and smaller, sub-tier suppliers are often the target. Addressing the problem is an urgent, national security imperative.

While the CMMC rule-making process takes its time, the DoD is encouraging DIB companies to complete Interim Assessments that will begin later this summer. While a number of incentives are under consideration, the DoD has telegraphed that Interim Assessments will be honored for three years from the date the final rule is published (late 2023 or 2024) rather than for three years from the assessment date, which will be the standard. For example, if an organization completes an Interim Assessment in October 2022 and the final rule is published in March 2024, the Interim Assessment will be effective through March 2027; four and a half years rather than only three. And if the CMMC framework, which is tied to NIST 800-171, changes as a result of revisions to 800-171 (which are in process), completing an Interim Assessment is taking an easier test now than a harder test later.

Given large primes’ focus on supply chain risk management, don’t be surprised if they push CMMC requirements on their suppliers ahead of government enactment. And, for marketing purposes, an early interim certification will make any defense industry subcontractor or supplier far more attractive to government buyers and primes.

And a Word About POA&Ms

The good news is that CMMC 2.0 allows POA&Ms (plans of action and milestones). But before too much celebration, a POA&M will not be allowed for every control – only certain controls will be eligible. POA&M guidance will appear in the CAP when published, but expect controls that have a low Basic Assessment score value under the DIBCAC NIST 800-171 scoring methodology to be POA&M eligible, and those with a high value, a 3 or 5, to be ineligible. The 3’s and 5’s are the hardest and costliest to satisfy.

POA&M execution will be enforced under CMMC 2.0. Allowable POA&M items will need to be addressed by the OSC within 180 days and then re-assessed. If the requirement is satisfied the control will pass. Otherwise, it’s two strikes and you’re out – no certification and you start all over again.

Gaining Clarity

With the CAP, the certification process will be well defined. Expect the process of going through an Interim Certification Assessment, and ultimately a formal Certification Assessment, to go through a series of steps:

• Planning
  • OSC (organization seeking certification) contacts its CMMC Third-Party Assessment Organization (C3PAO)
  • Scope information is gathered; OSC and C3PAO negotiate dates and contracts
  • Assessment plan is completed
• Readiness Review
  • The assessment team (Provisional Assessor and Certified Professionals) determines if OSC is ready and capable of completing assessment
• Assessment
  • The Assessment Team assesses all requirements of the 110 controls via testing, examination, or verification (at least two of those three methods for each requirement)
  • To pass a requirement must be satisfied and confirmed. An organization must say what they are going to do and demonstrate they are doing what they’ve said, and that the desired outcomes are achieved
• Remediation
  • For requirements that have not been satisfied and that are POA&M eligible, 180 days are allowed for remediation of those items
  • Failure to remediate any items can equate to a failed assessment
• Re-Assess POA&M Items
  • The Assessment Team re-assesses POA&M items
  • C3PAO performs QA (quality assurance review) and forwards recommendation to CMMC-AB
  • CMMC-AB issues or denies certification

For Interim Assessment, DIB organizations should identify and work with a C3PAO that is familiar with their industry, understands their environment, can work within their technology stack, and is fully capable of performing assessments within the greater CMMC framework.

Though CMMC may not come to full maturity right away and things are still “interim,” the on-the-ground, mission-critical reality for defense contractors is that adoption is imperative and compulsory. Simply put, early CMMC certification adopters will represent less cyber risk to any entity selecting a vendor, supplier, or partner. Qualifications and processes will only get harder, take longer, and cost more for those who procrastinate.

CMMC Just Got Real

It’s coming sooner than you think. While CMMC 2.0 has fewer controls than its predecessor, the requirements are exacting. The OSC must satisfy all 340 individual requirements within the 110 controls. Preparing for the certification assessment takes time and satisfying those requirements is hard – you not only need to be compliant, you also need to make it clear to an assessor how you are compliant.

As one of the first CMMC advisors, Coalfire can help organizations address CMMC requirements and prepare for their assessment, or when ready, should be able to perform their interim certification assessment. It feels a bit like the long lines forming at a busy airport the Sunday before Thanksgiving. Diligence, order, and discipline are what’s needed for the defense of our nation, and for the protection of our warfighters. Those who make it through the interim process sooner than their competitors will reap the benefits of DoD incentives and gain a real market advantage.

Coalfire will be collaborating with agencies and organizations on a number of initiatives and discussions at events including CMMC Day, Federal Publications Seminars, CFF Summit Roundtable, to help the DIB enter this new era of compliance as efficiently as possible. We’re here to help, and the time to get ready, get going, and get certified has finally arrived.